Shopify Plus Hardening Guide
E-commerce platform hardening for Shopify Plus including SAML SSO, staff permissions, and store security
Overview
Shopify is a leading e-commerce platform powering millions of businesses worldwide. As a platform handling customer data, payment information, and business transactions, Shopify security configurations directly impact data protection and PCI compliance.
Intended Audience
- Security engineers managing e-commerce platforms
- IT administrators configuring Shopify Plus
- E-commerce managers securing stores
- GRC professionals assessing retail security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Shopify Plus security including SAML SSO, organization management, staff permissions, and store security.
Table of Contents
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO for Shopify Plus organization users.
Prerequisites
- Shopify Plus plan
- Organization owner access
- SAML 2.0 compatible IdP
ClickOps Implementation
Step 1: Access Organization Settings
- Navigate to: Shopify admin → Settings → Users
- Access organization settings
- Find Security section
Step 2: Configure SAML
- Enable SAML authentication
- Configure IdP settings:
- SSO URL
- Entity ID
- Certificate
- Download Shopify metadata for IdP
Step 3: Test and Enforce
- Test SSO authentication
- Enable SSO enforcement
- Configure admin fallback
Time to Complete: ~1-2 hours
1.2 Enforce Two-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require 2FA for all Shopify staff accounts.
ClickOps Implementation
Step 1: Enable 2FA Requirement
- Navigate to: Settings → Users
- Enable Require two-step authentication
- All staff must configure 2FA
Step 2: Configure via IdP
- Enable MFA in identity provider
- Use phishing-resistant methods for admins
1.3 Configure Login Services
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 6.3 |
| NIST 800-53 | IA-2 |
Description
Control allowed login methods.
ClickOps Implementation
Step 1: Review Login Options
- Configure allowed login services
- Restrict to SSO only if possible
- Disable unnecessary auth methods
2. Access Controls
2.1 Configure Staff Permissions
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege for staff accounts.
ClickOps Implementation
Step 1: Review Permission Groups
- Navigate to: Settings → Users
- Review available permissions
- Create custom permission groups
Step 2: Assign Minimum Access
- Assign minimum necessary permissions
- Separate by function:
- Store management
- Orders/fulfillment
- Products
- Customers
- Reports
- Regular access reviews
2.2 Configure Store Access
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Control access to individual stores.
ClickOps Implementation
Step 1: Configure Store Permissions
- Limit staff to required stores only
- Separate production and development
- Audit cross-store access
2.3 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect organization owner accounts.
ClickOps Implementation
Step 1: Inventory Owners
- Review organization owners
- Document admin access
- Identify unnecessary privileges
Step 2: Apply Restrictions
- Limit owners to 2-3 users
- Require 2FA for owners
- Monitor owner activity
3. Store Security
3.1 Configure API Access
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure API apps and access tokens.
ClickOps Implementation
Step 1: Review Apps
- Navigate to: Settings → Apps and sales channels
- Review installed apps
- Remove unnecessary apps
Step 2: Secure API Credentials
- Use minimum required scopes
- Protect API credentials
- Rotate credentials regularly
3.2 Configure Checkout Security
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.10 |
| NIST 800-53 | SC-8 |
Description
Configure secure checkout settings.
ClickOps Implementation
Step 1: Review Checkout Settings
- Ensure HTTPS enabled (default)
- Configure fraud analysis
- Enable reCAPTCHA
4. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Shopify Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/2FA | 1.1 |
| CC6.2 | Staff permissions | 2.1 |
| CC6.7 | API security | 3.1 |
PCI DSS v4.0 Mapping
| Requirement | Shopify Control | Guide Section |
|---|---|---|
| 7 | Staff permissions | 2.1 |
| 8 | Authentication | 1.1 |
Appendix A: References
Official Shopify Documentation:
API & Developer Tools:
Compliance Frameworks:
- PCI DSS Level 1 (Service Provider), SOC 2 Type II, SOC 3 – via Compliance Reports
- Viewing Shopify’s Compliance Reports
Security Incidents:
- (2020) Two rogue support team members accessed data from approximately 200 merchants.
- (2024) Third-party app vendor (Saara) exposed 25 GB of data from 1,800+ Shopify stores via a misconfigured MongoDB database. Separately, a threat actor claimed to have 179,873 rows of user data.
- (2025-01) Critical vulnerability in the Consentik Shopify app exposed 4,180+ stores to code injection and account takeover.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO and permissions | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide